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(54) Data communications systems and methods 

(57) In order to improve the security of message transmission from a terminal apparatus 1 in a 
communications system a check-sum or MAC is computed from the data within the message in 
dependence upon a cryptographic key (KEY 1). This MAC is issued as a "challenge" to a user who is also 
equipped with a separate portable token 2 for computing a "response" in dependence upon a second 
cryptographic key (KEY 2) which is unique to his token or depends upon an entered PIN number. This 

response is then entered into the terminal 1 and appended to the message as its authentication code 
before transmission. A recipient of the message and authentication code equipped with the same 
cryptographic keys can therefore check both the contents of the message e.g. to determine whether it has 
been attacked, and the correct identity of the sender by computing an expected authentication code from 
the received message and comparing it with the code received. The "challenge" MAC may also be 
appended to the message along with the "response". 
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The drawing^) originally filed was/were informal and the print here reproduced is taken from a later filed formal 



t 

r 

c 
c 

c 
r 
c 



copy. 



1 



GB2190820A 1 



SPECIFICATION 

Data communication systems and methods 

5 This Invention relates to communication sys- 
tems and particularly to systems for data 
communications. More specifically, the inven- 
tion is concerned with improving the security 
of transactions flowing across a communi- 
10 cations network — a factor of ever increasing 
importance particularly in the field of electronic 
funds-transfer and for other systems carrying 
financially or commercially sensitive informa- 
tion. 

15 In many circumstances it is important not 
only to protect the messages in such a sys- 
tem from passive interception but also, and 
often of greater importance, to be able to de- 
tect any active attack against messages. An 

20 active attack may take the form of an inter- 
ceptor tampering with the message: altering it, 
adding information, removing information and 
so on. While it is almost impossible to pre- 
vent an active attack there are many mecha- 

25 nisms which aim to ensure that such an attack 
will be detected and hence can be rendered 
harmless. Known techniques to allow detec- 
tion and thus audit take many forms of which 
the most common are normally cryptographi- 

30 cally based and depend upon the generation, 
before transmission of the message, of a 
check-sum which is then appended to the 
message. The theory underlying this approach 
is that if a would-be fraudster changes any 

35 part of the message in any way then the 
check-sum will no longer be correct and thus 
the recipient of such a message can compute, 
for himself, the expected check-sum, compare 
it with that received in the message, and *rf 

40 they disagree will know that the message has 
been altered in some way. If on the other 
hand the expected and received check-sums 
agree then he knows with a high probability 
that the message has not been altered. This 

45 probability is dependent upon the amount of 
information in the check-sum — ideally the 
more information within it (i.e. the longer it is) 
the lower the probability of an undetected al- 
teration. 

50 Many such systems exist. Some of these 
depend only upon an algorithmic check-sum, 
often called a test-key or authentication para- 
meter. In this case the security level is often 
relatively low since someone attacking the 

55 system with knowledge of this algorithm may 
be aware of ways in which he can alter the 
message without affecting the check-sum 
computation. A trivial example of this is as 
follows: suppose the check-sum on a numeric 

60 message is computed solely as the modulo- 10 
sum of all digits in the message. An attack 
upon the system which involves altering only 
the order of the digits in the message would 
not be detected by the check-sum. 

65 A normally more secure technique involves 



the use of a cryptographic check-sum, often 
termed a message authentication code (MAC). 
In this case the check-sum is dependent not 
only upon the cryptographic algorithm but also 
70 a cryptographic key. An example of this, in 
common usage, is the system described 
within American National Standards Institute 
(ANSI) standards X9.9 and X9.19. Within 
these standards the cryptographic algorithm is 
75 the Data Encryption Algorithm as described in 
FIPS 46 and ANSI X3.92. The cryptographic 
key is a 56-bit DEA key. The check-sum or 
MAC is a 32-bit value appended to the mes- 
sage, it is currently generally accepted that 
80 provided the cryptographic key is kept secret 
then any alteration to the message can be 
detected by the recipient with a probability of 
0.9999999998 (i.e 1 » 1/2 ^ 
Within some communications systems pro- 
85 tection of messages in the above manner is 
considered adequate. However, there do also 
exist many systems within which it is impor- 
tant not only to detect any alterations to the 
message, and thus be able to provide alarms 
90 and an audit system of these, but also to 
confirm the identity of the person or group of 
persons from which such a message origi- 
nated; this is in some sense equivalent to re- 
quiring a verifiable "signature" on the mes- 
95 sage, it is an aim of the present invention to 
provide a system within which these two 
functions can be integrated together in a con- 
venient manner and with a potentially very 
high level of security. 
100 Accordingly in one aspect the invention re- 
sides in a method of secure message 
transmission from a terminal apparatus to a 
remote receiving station in a communications 
system, which involves appending to a mes- 
105 sage to be transmitted an authentication code 
the value of which depends upon both the 
information in the message and information 
representing the identity of the sender, and 
wherein the authentication code is produced 
110 by a method comprising the steps of: comput- 
ing within the terminal apparatus a first code 
the value of which depends upon the informa- 
tion within the message; issuing that code to 
the sender; computing a second code from 
115 said first code and information representing 
the identity of the sender, within a token as- 
signed to the sender and which can be actu- 
ated to perform this computation only upon 
the recognition of a PIN (Personal identification 
120 number) or other correct input indicative of 
the authority of the sender (e.g. a fingerprint 
or other biometric parameter); and entering 
said second code into the terminal apparatus, 
that code or a derivative thereof constituting 
125 the authentication code. 

In use of a method according to the inven- 
tion the genuiness of the message as received 
at the receiving station can be checked — both 
as to its contents and the identity of its pur- 
130 ported sender — by comparing the received au- 
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thentication code with the "expected" code 
computed from the received message at that 
station. Most preferably, the computation of 
the aforesaid first and second codes prior to 
5 transmission of the message is dependent 
upon respective cryptographic keys held in the 
terminal apparatus and the sender's token, 
knowledge of or access to both of which 
would therefore be required in order to sub- 

10 vert the system. The sender's token may con- 
veniently be in the form of a small portable 
unit completely structually separate from the 
terminal apparatus and akin to a hand-held cal- 
culator, comprising a keypad for entry of the 

15 sender's PIN frf that is the form of authorisa- 
tion input employed) and the first (messagede- 
pendent) code issued by the terminal, and a 
display to indicate the second code which the 
token computes from the first code and the 

20 sender's identity information. The latter is it- 
self preferably represented by a unique key 
embedded in the token, under which the cryp- 
tographic computation takes place. In particu- 
lar, the senders' tokens for use in a method 

25 according to the invention may thus in them- 
selves be constructionally and functionally 
equivalent to the users' password generators 
in a socalled "dynamic password" access- 
control system, such as that marketed by Ra- 

30 cal-Guardata Limited under the trade mark 
WATCHWORD. 

An example of a communications system 
operating a secure message-transmission tech- 
nique in accordance with the invention will 

35 now be more particularly described with refer- 
ence to the accompanying drawing, which is a 
combined schematic block diagram and flow 
chart of the process of generating a message 
authentication code at a user's terminal sta- 

40 tion. For the purposes of this description it 
will be assumed that this is part of a corpo- 
rate banking network where the bank is ac- 
cepting payments, transfers and the like into a 
central computer from its customers. 

45 Within his terminal 1 the bank customer 
compiles a data message as a series of binary 
digits. The first step in the generation of the 
ultimate authentication code to append to this 
message is to compute an initial check-sum or 

50 MAC from the information in the message us- 
ing a cryptographic algorithm and a cryptogra- 
phic key — indicated as KEY 1 in the 
drawing — supplied to the customer by the 
bank and held within his terminal in a tamper- 

55 resistant module. The computation of this 
MAC may proceed in accordance with the 
Data Encryption Standard (DES) as described 
above in relation to the prior art, but in this 
case the MAC is not appended directly to the 

60 message. Instead, it is issued, normally in a 
modified form, to the user as a "challenge", 
for example in the form of a decimal number 
displayed on the terminal's VDU screen. 
To respond to this "challenge" each user is 

65 also supplied with a personal token 2 in the 



form of a completely portable, hand-held de- 
vice similar to a "dynamic password" genera- 
tor as indicated above. The user enters into 
this token the "challenge" number displayed 

70 by the terminal and the token computes from 
this a "response" number which is issued in 
decimal form on the token's own display. This 
computation is made, again preferably in ac- 
cordance with the DES, using a cryptographic 

75 algorithm and a second cryptographic key — in- 
dicated as KEY 2 in the drawing — which is 
embedded in the token in tsmper-resistant 
form and is unique for each individual user's 
token. Thus this "response" number depends 

80 both upon the Information contained in the 
original message (because it is derived from 
the initial MAC) and upon the identity of the 
user (as represented by the particular crypto- 
graphic key used for the computation). Before 

85 the token can he operated to make this com- 
putation, however, it must first have the ap- 
propriate user's personal identification number 
(PIN) entered into it. This PIN is used only to 
control access to the operation of the token, 

90 not as the means of identifying the user in the 
actual computation, and therefore it need not 
be known by any other part of the system. It 
can readily be arranged, therefore, for each 
user to select (and re-select) his PIN at will 

95 and for individual PINs to be retained in ut- 
most secrecy. 

The user then enters the computed "re- 
sponse" number into the terminal 1 , where it 
is assembled with the original message, in bi- 

100 nary form, as the final authentication code, 
and this message plus "response" is 
transmitted over the communications network 
to the bank. At the receiving station the bank 
holds cryptographic keys corresponding to 

105 KEYS 1 and 2, themselves encrypted under a 
master key contained in a physically secure 
enclosure. Using these keys the recipient can 
compute the authentication code which should 
correspond to the received message and com- 

1 10 pare it with the received code, thus both 
checking for any unauthorised interference 
with the contents of the message and co- 
nfirming the identity of the purported sender. 
At the receiving end, a system as described 

115 above could only be compromised while being 
set up or through breach of the enclosure 
which holds the master key — which can be 
expected to be highly secure. At the user 
level it can only be compromised via an attack 

120 upon both the user's cryptographic terminal 
facility (holding KEY 1) and his token (holding 
KEY 2). A stolen token will be of no use to a 
potential fraudster without also having both 
knowledge of the rightful user's FIN and ac- 

125 cess to a corresponding terminal or knowl- 
edge of its KEY 1. 

From the foregoing, it will be apparent that 
this system provides a coded signal appended 
to the message which is in the form of a 

130 "signature" corresponding to the identity of 
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the user but which also depends on the mes- 
sage itself. Thus this signal cannot success- 
fully be removed from the message and ap- 
pended to another message since it will no 
5 longer be appropriate and any such unauthor- 
ised action would be detected by the recipi- 
ent. 

Even if an unauthorised person were able to 
discover the cryptogaphic key used in a termi- 

10 nal for computing the initial MAC (KEY 1), this 
would not be sufficient to penetrate the sys- 
tem since any alteration to a message and its 
corresponding MAC requires corresponding al- 
teration of the "response" which cannot sue- 

15 cessfiilly be accomplished without access to 
or knowledge of the rightful user's KEY 2. In 
view of this it would even be possible for the 
bank to give all its customers the same cryp- 
tographic key for computing the initial MAC 

20 and yet still be assured of a high level of 
security by virtue of the "response" confirma- 
tion. 

In a modification, the initial MAC computed 
at the terminal may be appended to the 

25 transmitted message as well as the "re- 
sponse" number computed in the token. This 
may be advantageous as it enables the cor- 
rectness of the actual message to be checked 
at the receiving station by reference to the 

30 MAC by someone who does not need to have 
any information about the sender. The sen- 
der's identity can be separately checked using 
the "response" number. This also means that 
it is possible to arrange for the sender's iden- 

35 tity to be "notarised" by an independent 
party equipped with the relevant sender's tok- 
en's cryptographic key (KEY 2), a process 
which may be required e.g. in dealing net- 
works as a mechanism to guarantee the vera- 

40 city of the "signatures" on transmitted mes- 
sages and to avoid the falsification of "signa- 
tures" by recipients. 

_ CLAIMS 

45 1. A method of secure message transmis- 
sion from a terminal apparatus to a remote 
receiving station in a communications system, 
which involves appending to a message to be 
transmitted an authentication code the value 

50 of which depends upon both the information 
in the message and information representing 
the identity of the sender, and wherein the 
authentication code is produced by a method 
comprising the steps of: computing within the 

55 terminal apparatus a first code the value of 
which depends upon the information within 
the message; issuing that code to the sender; 
computing a second code from said first code 
and information representing the identity of 

60 the sender, within a token assigned to the 
sender and which can be actuated to perform 
this computation only upon recognition of a 
correct input indicative of the authority of the 
sender; and entering said second code into 

65 the terminal apparatus, that code or a deriva- 



tive thereof constituting the authentication 
code. 

2. A method according to claim 1 wherein 
the computation of said first and second 

70 codes is dependent upon respective crypto- 
graphic keys held in the terminal apparatus 
and token. 

3. A method according to claim 2 wherein 
the cryptographic key held in the token is uni- 

75 que for each individual token in the system 
and thus represents the identity of the corre- 
sponding sender. 

4. A method according to any preceding 
claim wherein the token is portable and in use 

80 completely structually separate from the termi- 
nal apparatus. 

5. A method according to any preceding 
claim wherein the token can be activated to 
perform the computation of said second code 

85 upon the recognition of a correct sender's 
personal identification number inputted to it. 

6. A method according to any one of claim 
1 to 4 wherein the token can be activated to 
perform the computation of said second code 

90 upon the recognition of a correct sender's 
biometric parameter inputted to it. 

7. A method according to any preceding 
claim wherein said first code is also appended 
to the message to be transmitted. 

95 8. A method of secure message transmis- 
sion from a terminal apparatus to a remote 
receiving station in a communications system, 
substantially as hereinbefore described with 
reference to the accompanying drawing. 

100 9. Apparatus for secure message transmis- 
sion to a remote receiving station in a com- 
munications system, by a method which in- 
volves appending to a message to be 
transmitted an authentication code the value 

105 of which depends upon both the information 
in the message and information representing 
the identity of the sender, comprising: a termi- 
nal apparatus adapted to compute a first code 
the value of which depends upon the informa- 

110 tion within the message and to issue that 
code to the sender; and a token assigned to 
the sender which is adapted to compute a 
second code from said first code and informa- 
tion representing the identity of the sender 

115 and which can be activated to perform this 
computation only upon recognition of a cor- 
rect input indicative of the authority of the 
sender; the terminal apparatus also being 
adapted to receive said second code and ap- 

120 pend that code or a derivative thereof to the 
message as said authentication code. 

10. Apparatus according to claim 9 and 
adapted to perform the method of any one of 
claims 2 to 8. 
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